[chrizel]

> And from Microsoft / GitHub - who would have a lot additional information (logs, ip-adresses, use of two-factor auth etc.)? Have they made a statement?

Based on a HN comment from a couple of weeks ago, by analyzing the attackers IP addresses from IRC chat logins, it seems they used a VPN service. If you think about it, it makes sense to always use VPN when doing an operation like this. So I think the ip addresses won't be of much use.

[heavyset_go]

Might be able to tell which VPN service they used and can then subpoena it.

[gzer0]

Based on the sophistication we've seen, they probably used Mullvad for their VPN. In that case, a subpoena wouldn't turn up anything.

[mtsr]

I don’t know if it’s been tried, but if not it would be in everyone’s interest to see what Mullvad will actually cough up.

[trogdor]

I have seen NordVPN’s response to a subpoena. Their response was that they had no records connecting an IP address at a specific date/time to any particular person.

[emayljames]

it would be the end of their business if they did, as they have a strict no retention policy. This would mean they are lying to all their customers, so it is not going to happen.